-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathcontainer_scan.go
More file actions
205 lines (169 loc) · 6.87 KB
/
container_scan.go
File metadata and controls
205 lines (169 loc) · 6.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
// Package cmd implements the CLI commands for the Codacy CLI tool.
package cmd
import (
"fmt"
"os"
"os/exec"
"regexp"
"strings"
"codacy/cli-v2/utils/logger"
"github.com/fatih/color"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
)
// validImageNamePattern validates Docker image references
// Allows: registry/namespace/image:tag or image@sha256:digest
// Based on Docker image reference specification
var validImageNamePattern = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9._\-/:@]*$`)
// Flag variables for container-scan command
var (
severityFlag string
pkgTypesFlag string
ignoreUnfixedFlag bool
)
func init() {
containerScanCmd.Flags().StringVar(&severityFlag, "severity", "", "Comma-separated list of severities to scan for (default: HIGH,CRITICAL)")
containerScanCmd.Flags().StringVar(&pkgTypesFlag, "pkg-types", "", "Comma-separated list of package types to scan (default: os)")
containerScanCmd.Flags().BoolVar(&ignoreUnfixedFlag, "ignore-unfixed", true, "Ignore unfixed vulnerabilities")
rootCmd.AddCommand(containerScanCmd)
}
var containerScanCmd = &cobra.Command{
Use: "container-scan <IMAGE_NAME> [IMAGE_NAME...]",
Short: "Scan container images for vulnerabilities using Trivy",
Long: `Scan one or more container images for vulnerabilities using Trivy.
By default, scans for HIGH and CRITICAL vulnerabilities in OS packages,
ignoring unfixed issues. Use flags to override these defaults.
The --exit-code 1 flag is always applied (not user-configurable) to ensure
the command fails when vulnerabilities are found in any image.`,
Example: ` # Scan a single image
codacy-cli container-scan myapp:latest
# Scan multiple images
codacy-cli container-scan myapp:latest nginx:alpine redis:7
# Scan only for CRITICAL vulnerabilities across multiple images
codacy-cli container-scan --severity CRITICAL myapp:latest nginx:alpine
# Scan all severities and package types
codacy-cli container-scan --severity LOW,MEDIUM,HIGH,CRITICAL --pkg-types os,library myapp:latest
# Include unfixed vulnerabilities
codacy-cli container-scan --ignore-unfixed=false myapp:latest`,
Args: cobra.MinimumNArgs(1),
Run: runContainerScan,
}
// validateImageName checks if the image name is a valid Docker image reference
// and doesn't contain shell metacharacters that could be used for command injection
func validateImageName(imageName string) error {
if imageName == "" {
return fmt.Errorf("image name cannot be empty")
}
// Check for maximum length (Docker has a practical limit)
if len(imageName) > 256 {
return fmt.Errorf("image name is too long (max 256 characters)")
}
// Check for dangerous shell metacharacters first for specific error messages
dangerousChars := []string{";", "&", "|", "$", "`", "(", ")", "{", "}", "<", ">", "!", "\\", "\n", "\r", "'", "\""}
for _, char := range dangerousChars {
if strings.Contains(imageName, char) {
return fmt.Errorf("invalid image name: contains disallowed character '%s'", char)
}
}
// Validate against allowed pattern for any other invalid characters
if !validImageNamePattern.MatchString(imageName) {
return fmt.Errorf("invalid image name format: contains disallowed characters")
}
return nil
}
// getTrivyPath returns the path to the Trivy binary or exits if not found
func getTrivyPath() string {
trivyPath, err := exec.LookPath("trivy")
if err != nil {
logger.Error("Trivy not found", logrus.Fields{"error": err.Error()})
color.Red("❌ Error: Trivy is not installed or not found in PATH")
fmt.Println("Please install Trivy to use container scanning.")
fmt.Println("Visit: https://trivy.dev/latest/getting-started/installation/")
fmt.Println("exit-code 2")
os.Exit(2)
}
logger.Info("Found Trivy", logrus.Fields{"path": trivyPath})
return trivyPath
}
func runContainerScan(_ *cobra.Command, args []string) {
imageNames := args
// Validate all image names first
for _, imageName := range imageNames {
if err := validateImageName(imageName); err != nil {
logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()})
color.Red("❌ Error: %v", err)
fmt.Println("exit-code 2")
os.Exit(2)
}
}
logger.Info("Starting container scan", logrus.Fields{"images": imageNames, "count": len(imageNames)})
trivyPath := getTrivyPath()
hasVulnerabilities := false
for i, imageName := range imageNames {
if len(imageNames) > 1 {
fmt.Printf("\n📦 [%d/%d] Scanning image: %s\n", i+1, len(imageNames), imageName)
fmt.Println(strings.Repeat("-", 50))
} else {
fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
}
// #nosec G204 -- imageName is validated by validateImageName() which checks for
// shell metacharacters and enforces a strict character allowlist. Additionally,
// exec.Command passes arguments directly without shell interpretation.
trivyCmd := exec.Command(trivyPath, buildTrivyArgs(imageName)...)
trivyCmd.Stdout = os.Stdout
trivyCmd.Stderr = os.Stderr
logger.Info("Running Trivy container scan", logrus.Fields{"command": trivyCmd.String()})
if err := trivyCmd.Run(); err != nil {
if exitError, ok := err.(*exec.ExitError); ok && exitError.ExitCode() == 1 {
logger.Warn("Vulnerabilities found in image", logrus.Fields{"image": imageName})
hasVulnerabilities = true
} else {
logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error(), "image": imageName})
color.Red("❌ Error: Failed to run Trivy for %s: %v", imageName, err)
fmt.Println("exit-code 2")
os.Exit(2)
}
} else {
logger.Info("No vulnerabilities found in image", logrus.Fields{"image": imageName})
}
}
// Print summary for multiple images
fmt.Println()
if hasVulnerabilities {
logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{"images": imageNames})
color.Red("❌ Scanning failed: vulnerabilities found in one or more container images")
fmt.Println("exit-code 1")
os.Exit(1)
}
logger.Info("Container scan completed successfully", logrus.Fields{"images": imageNames})
color.Green("✅ Success: No vulnerabilities found matching the specified criteria")
fmt.Println("exit-code 0")
}
// buildTrivyArgs constructs the Trivy command arguments based on flags
func buildTrivyArgs(imageName string) []string {
args := []string{
"image",
"--scanners", "vuln",
}
// Apply --ignore-unfixed if enabled (default: true)
if ignoreUnfixedFlag {
args = append(args, "--ignore-unfixed")
}
// Apply --severity (use default if not specified)
severity := severityFlag
if severity == "" {
severity = "HIGH,CRITICAL"
}
args = append(args, "--severity", severity)
// Apply --pkg-types (use default if not specified)
pkgTypes := pkgTypesFlag
if pkgTypes == "" {
pkgTypes = "os"
}
args = append(args, "--pkg-types", pkgTypes)
// Always apply --exit-code 1 (not user-configurable)
args = append(args, "--exit-code", "1")
// Add the image name as the last argument
args = append(args, imageName)
return args
}